-
Cisco Traffic Anomaly Detector Configuration Guide (Software Version 6.1)
-
Index
-
Preface
-
Product Overview
-
Intitializing the Detector
-
Configuring the Detector
-
Configuring Zones
-
Configuring Zone Filters
-
Configuring Policy Templates and Policies
-
Learning Zone Traffic Characteristics
-
Detecting Zone Traffic Anomalies
-
Using Interactive Detect Mode
-
Using Attack Reports
-
Using Detector Diagnostic Tools
-
Performing Maintenance Tasks
-
Feedback
Table Of Contents
Symbols - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - R - S - T - U - W - X - Z
Index
Symbols
# (number sign) 10-4
A
AAA
accounting 3-13
authentication 3-6
authorization 3-11
configuring 3-4
aaa accounting command 3-13
aaa authentication command 3-6
aaa authorization command 3-11
accounting, configuring 3-13
action command 6-19
action flow 10-6
activation
activation-extent command 8-11, 8-13
activation-interface command 8-13
activation sensitivity 8-13
add-service command 6-9
admin privilege level 2-2, 3-7
always-accept 6-21
always-ignore 6-21
anomaly
detected 10-2
flow 10-3
anomaly detection engine memory usage 11-26, 11-28
arp command 11-29
attack report
copying 10-7
detected anomalies 10-2
exporting automatically 10-7
history 11-25
layout 10-1
notify 10-4
statistics 10-2
timing 10-1
viewing 10-4
attack type
detected attack 10-5
authentication, configuring 3-6
authorization
disabling zone command completion 3-12, 4-7
authorization, configuring 3-8, 3-9
auth packet types 6-11
automatic detect mode 1-5
automatic protection mode 8-3
automatic protect mode 8-3, 9-1
B
banner
configuring login 3-32
Berkeley Packet filter 5-7
BGP 8-9
burn flash 12-10
bypass filter
command 5-10
configuring 5-10
deleting 5-12
displaying 5-11
C
capture, packets 11-14
CFE 12-10
clear counters command 2-10, 11-4
clear log command 11-11
CLI
changing prompt 3-28
command shortcuts 2-6
error messages 2-5
getting help 2-5
issuing commands 2-3
TAB completion 2-6
using 2-1
command completion 3-12
command line interface
See CLI 2-1
command shortcuts 2-6
config privilege level 2-2, 3-7
configuration
file
copying 12-3
exporting 12-3
importing 12-4
viewing 11-2
importing 12-4
configuration, accessing command mode 3-12
configuration mode 2-2
configure command 2-7
constructing policies 7-4
copy command
packet-dump 11-17
copy commands
ftp running-config 12-4
new-version 12-9
reports 10-7
zone log 11-10
copy-from-this 4-6
copy guard-running-config command 4-15, 4-17
copy login-banner command 3-33
copy-policies command 7-17
copy wbm-logo command 3-34
counters
history 11-4
counters, viewing 11-4
cpu utilization 11-27
D
date command 3-24
DDoS
nonspoofed attacks 1-3
overview 1-2
spoofed attacks 1-2
zombies 1-3
deactivate command 8-5
deactivating commands
commands, deactivating 2-4
default-gateway command 2-10
description command 4-7
detect
automatic mode 1-5
interactive mode 1-5
detect command 8-5
detected
anomalies 10-2
flow 10-6
detected attack 10-5
DETECTOR_DEFAULT 4-3
DETECTOR_WORM 4-3
Detector configuration
resetting 12-13
disable command 6-7
disabling
automatic export 12-7
disk usage 11-25
DNS
detected anomalies 10-2
TCP policy templates 6-3
tcp protocol flow 10-5
dst-ip-by-ip activation form 8-4
dst-ip-by-ip activation method 8-7
dst-ip-by-name activation method 8-4
dst traffic characteristics 6-12
Dynamic filter
command 8-15
displaying 8-11
timeout 8-9
dynamic filter
1000 and more 5-14
definition 1-4
deleting 5-16
displaying 5-13
preventing production of 5-16
sorting 5-13
worm 6-23
dynamic filters 9-2
dynamic privilege level 2-2, 3-7
E
enable
password command 3-9
enabling services 3-2
entire-zone activation method 8-4
even log
deactivating 11-8
event log
activating 11-8
event monitor command 11-8
export
disabling automatic 12-7
export command 12-6
reports 10-7
exporting
configuration file 12-3
log file 11-10
reports automatically 10-7
exporting GUARD configuration 4-15, 4-17
export sync-config command 4-17
extracting signatures 11-20
F
facility 11-8
file server
configuring 12-2
file-server
configuring 12-2
deleting 12-2
displaying sync-config 4-17, 12-7
file server, displaying sync-config 12-8
filters
overview 5-1
fixed-threshold 6-16
flash-burn command 12-10
flex-content filter
configuring 5-3
displaying 5-8
filtering criteria 5-2
renumbering 5-3
fragments 10-5
detected anomalies 10-2
policy template 6-3
G
generating signatures 11-20
global mode 2-2
global traffic characteristics 6-12
Guard
configuration mode 2-3
exporting configuration 12-6
GUARD_DEFAULT 4-3
GUARD_TCP_NO_PROXY 4-4
GUARD_ zone template
policy templates included with zone templates 6-4
guard-conf command 4-10
GUARD configuration, exporting 4-15, 4-17
GUARD configuration, importing 4-15
Guard-protection activation methods 8-4, 8-11
H
histogram command 6-23
history command 11-25
host, logging 11-9
host keys
hostname
changing 3-28
command 3-28
HTTP
detected anomalies 10-2
policy template 6-3
hybrid 10-5
I
idle session, configuring timeout 3-35
idle session, displaying timeout 3-35
importing
configuration 12-4
importing GUARD configuration 4-15
in-band
configuring interface 2-8
in packet types 6-11
install new-version command 12-10
interactive
operation mode 9-4
policy status 6-21
interactive detect mode 1-5
interactive protection mode 8-3
interactive protect mode 8-3, 9-1
interactive-status command 6-21
interface
clearing counters 2-10
command 2-8
configuration mode 2-2
configuring 2-8
configuring IP address 2-9
out-of-band 2-8
ip address
modifying, zone 4-8
IP address command
excluding 4-8
ip address command
deleting 4-9
interface 2-9
zone 4-8
ip route command 2-10
IP scan 10-5
detected anomalies 10-2
policy template 6-3
IP threshold configuration 6-18
K
key command
remove 3-26
key publish command 3-22
L
learning
constructing policies 7-4
overview 7-2
policy-construction command 7-5
synchronizing results 7-4
threshold-tuning command 7-7
tuning thresholds 7-7
learning accept command 7-5, 7-7
learning parameters, displaying 7-9
learning-params
deactivating periodic action 7-8
deactivating periodic-action command 7-5
periodic-action command 4-12, 7-5, 7-8, 7-9
threshold-multiplier command 6-16
threshold-selection command 7-7, 7-10
threshold-tuned command 4-8, 7-11
learning-params command 4-12, 4-17
learning-params fixed-threshold command 6-16
LINK templates 7-4
log file
clearing 11-11
history 11-25
viewing 11-10
logging, viewing configuration 11-9
logging command 11-8
logging parameters, configuring 11-6
login banner
configuring 3-32
deleting 3-34
importing 3-33
login-banner command 3-32
logo, adding WBM 3-34
logo, deleting WBM 3-35
M
management
MDM 2-13
overview 2-11
SSH 2-13
WBM 2-11
max-services command 6-6
MDM
activating 2-13
memory consumption 11-26
memory usage, anomaly detection engine 11-26, 11-28
min-threshold command 6-6
monitoring
MP
upgrading 12-9
mtu command 2-9
N
netstat command 11-31
network server
configuring 12-2
deleting 12-2
displaying sync-config 4-17, 12-7
network server, displaying sync-config 12-8
new version
installing 12-10
upgrading 12-9
non_estb_conns packet type 6-11
nonspoofed attacks 1-3
no proxy policy templates 6-4
notify 10-4
notify policy action 6-20
ns policy templates 6-4
NTP 3-24
enable service 3-25
permit 3-25
server 3-25
O
other protocols
detected anomalies 10-2
policy template 6-3
out_pkts packet types 6-11
out-of-band
configuring interface 2-8
out-of-band interface 2-8
P
packet-dump
auto-capture command 11-13
automatic
activating 11-13
deactivating 11-14
displaying settings 11-14
signatures 11-21
packet-dump command 11-14
packets, capturing 11-14
password
changing 3-7
enabling 3-9
encrypted 3-7
resetting 12-11
password, recovering 12-11
pending 9-2
pending dynamic filters 9-2
periodic action
accepting policies automatically 7-5, 7-8
permit
permit ssh command 3-21
ping command 11-34
pkts packet type 6-11
policy
activating 6-14
adding services 6-9
command 6-13
configuration mode 2-3
copying parameters 7-17
copy-policies 7-17
deleting services 6-10
disabling 6-14
displaying 8-11
inactivating 6-14
learning-params, fixed-threshold command 6-16
marking threshold as fixed 6-16
multiplying thresholds 6-17
navigating path 6-13
packet types 6-11
show statistics 6-25
state 6-14
threshold-list command 6-18
timeout, configuring 8-11
traffic characteristics 6-12
tuning thresholds 1-4, 7-2, 7-7
using wildcards 6-13, 6-24, 6-26
viewing statistics 7-9
policy set-timeout command 6-19, 8-11
policy template
configuration command level 6-5
configuration mode 2-3
displaying list 6-4
Guard policy templates for synchronization 6-4
max-services 6-6
min-threshold 6-6
overview 6-2
parameters 6-5
state 6-6
worm_tcp 6-5
policy-template add-service command 6-9
policy-template remove service command 6-10
policy-type activation method 8-4
port scan 10-5
detected anomalies 10-2
policy template 6-3
poweroff command 12-8
privilege levels 2-2
assigning passwords 3-9
moving between 3-10
protect
deactivating 8-5
protect command 8-5
protection-end-timer 8-7, 8-15
protection-end-timer command 8-13
protect-ip-state command 8-4, 8-11
protect learning command 7-7
protect-packet command 8-13
protocol traffic characteristics 6-12
proxy
no proxy policy templates 6-4
public-key
displaying 3-27
R
rates
history 11-3
rates, viewing 11-3
reactivate-zones 12-8
reboot command 12-8
rebooting
parameters 12-8
recommendations 9-2
accepting 9-7
change decision 6-21
command 9-6
dynamic filters 9-2
ignoring 9-7
overview 9-2
viewing 9-4
viewing pending-filters 9-3, 9-6
redistribute detector command 8-11
reload command 12-8
remote-activate policy action 6-20
remote Guard
activating 5-15
commands
activation-interface 8-13
protection-end-timer 8-13
protect-packet 8-13
terminating protection 8-7, 8-15
remote Guard list
displaying 8-8
remote Guards
activating 8-5
BGP, activating 8-9
default list 8-7
list 8-8
list activation order 8-8
remove service command 6-10
renumbering flex-content filters 5-3
replied IP summarization 11-13, 11-14
report
See attack report 10-1
reports
details 10-4
exporting 12-6
reqs packet type 6-11
router
configuring adjacent 8-12
enabling service 8-10
router configuration mode 2-3
routes, redistributing 8-11
routing table
manipulation 2-10
viewing 2-11
running-config
show 11-2
S
saving configuration, router 8-11, 8-14
scanners traffic characteristics 6-12
service
adding 6-9
copy 7-17
deleting 6-10
MDM 2-13
permissions 3-3
snmp-trap 3-28
wbm 2-11
services
enabling 3-2
session, configuring timeout 3-35
session, displaying idle timeout 3-35
session timeout, disabling 3-35
session-timeout command 3-35
set-action 6-20
show commands
counters 11-4
cpu 11-27
diagnostic-info 11-24
disk-usage 11-25
flex-content-filter 5-8
learning parameters 7-9
learning-params 6-16
log 11-10
log export-ip 11-9
logging 11-9
login-banner 3-33
memory 11-26
packet-dump 11-14
packet-dump signatures 11-21
policies 6-24
rates 11-3
recommendations pending-filters 9-3, 9-6
remote-guards 8-8
reports details 10-4
running-config 11-2
show 11-3
sorting dynamic-filters 5-13
sync-config 4-17
sync-config file-servers 4-17, 12-7, 12-8
templates 4-5
zone policies 6-24
show public-key command 3-27
shutdown command 2-9
signature
generating 11-20
snapshot
backing up policies 6-27, 7-18
command 7-13
comparing 7-14
deleting 7-16
displaying 7-16
snapshot command 7-13
snapshots
save periodically 7-9
SNMP
configuring trap generator 3-28
traps description 3-29
snmp commands
community 3-32
trap-dest 3-28
specific IP threshold 6-18
speed command 2-9
spoofed attacks 1-2
src traffic characteristics 6-12
SSH
configuring 2-13
deleting keys 3-26
host key 3-23
service 2-13
viewing public key 3-23
ssh key, publishing 3-22
state command 6-14
static route
adding 2-10
syn_by_fin packet type 6-11
synchronization
exporting configuration 12-6
syns packet type 6-11
syslog
configuring export parameters 11-8
configuring server 11-9
message format 11-8
system log
message format 11-8
T
TACACS+
authentication
key generate command 3-19
key publish command 3-22
clearing statistics 3-16
configuring search 3-15
configuring server 3-13
server connection timeout 3-16
server encryption key 3-15
server IP address 3-14
viewing statistics 3-16
tacacs-server commands
clear statistics 3-16
first-hit 3-14
show statistics 3-16
TCP
no proxy policy templates 6-4
policy templates 6-3
templates
LINK 7-4
viewing policies 4-5
zone 4-3
thresh-mult 6-17
threshold
command 6-15
configuring IP threshold 6-18
configuring list 6-18
configuring specific IP 6-18
multiplying before accepting 6-16
selection 7-13
setting as fixed 6-16
worm 6-22
threshold-list command 6-18
threshold selection 7-7
threshold tuning
save results periodically 7-9
time, configuring 3-24
timeout session, configuring 3-35
timeout session, disabling 3-35
timezone 3-24
traceroute command 11-33
traffic
trap 11-8
trap-dest 3-28
tuning policy thresholds 7-7
U
UDP
detected anomalies 10-3
policy templates 6-3
unauth_pkts packet type 6-11
unauthenticated TCP detected anomalies 10-3
upgrading 12-9
MP 12-9
user
detected anomalies 10-3
user filter
command 5-3
username
encrypted password 3-7
username command 3-6
users
adding 3-6
adding new 3-6
assigning privilege levels 3-6
deleting 3-8
system users
admin 2-7
riverhead 2-7
username command 3-6
W
WBM
activating 2-11
WBM logo
adding 3-34
deleting 3-35
worm
dynamic filter 6-23
identifying attack 6-23
overview 6-22
worm_tcp policy template 6-5
X
XML schema10-7to 10-9, 11-16, 12-7
Z
zombies 1-3
zone
anomaly detection 8-2
clearing counters 11-5
comparing 7-15
copying 4-6
creating 4-5
defining IP address 4-8
deleting 4-5
deleting IP address 4-9
duplicating 4-6
excluding IP address 4-8
exporting configuration 4-17
IP address 4-8
learning 7-2
LINK templates 7-4
modifying IP address 4-8
operation mode 4-5
reconfiguring 4-7
synchronize configuration 4-9
synchronizing automatically 4-12
synchronizing offline 4-14
templates 4-3
viewing configuration 4-7
viewing policies 6-24
viewing status 11-3
zone policy
zone synchronization 7-4